CVE-2025-65097
📋 TL;DR
This vulnerability allows authenticated users in RomM (ROM Manager) to delete collections belonging to other users by sending a DELETE request to the collection endpoint without proper ownership verification. It affects all RomM instances running versions prior to 4.4.1 and 4.4.1-beta.2 where multiple users have access.
💻 Affected Systems
- RomM (ROM Manager)
📦 What is this software?
Romm by Romm.app
Romm by Romm.app
⚠️ Risk & Real-World Impact
Worst Case
Malicious authenticated users could systematically delete all collections in the system, causing complete data loss and service disruption for all users.
Likely Case
Authenticated users accidentally or intentionally delete collections belonging to other users, leading to data loss and potential conflicts between users.
If Mitigated
With proper access controls and monitoring, impact is limited to isolated incidents that can be quickly detected and restored from backups.
🎯 Exploit Status
Exploitation requires authenticated access but is trivial - simply sending a DELETE request to the vulnerable endpoint with another user's collection ID. No special tools or knowledge required beyond basic HTTP request crafting.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.4.1 or 4.4.1-beta.2
Vendor Advisory: https://github.com/rommapp/romm/security/advisories/GHSA-v7c8-f6xc-rv9g
Restart Required: Yes
Instructions:
1. Backup your current RomM installation and database. 2. Update RomM to version 4.4.1 or 4.4.1-beta.2 using your deployment method (Docker, manual, etc.). 3. Restart the RomM service. 4. Verify the update was successful by checking the version.
🔧 Temporary Workarounds
Network-level access restriction
allRestrict access to the collection DELETE endpoint using web server configuration or network firewall rules
# Example nginx location block to restrict DELETE method
location /api/collections/ {
limit_except GET POST PUT {
deny all;
}
}
Application-level middleware
allAdd custom middleware to verify collection ownership before processing DELETE requests
# This requires modifying RomM source code - not recommended for production
🧯 If You Can't Patch
- Implement strict user access controls and monitor all DELETE requests to collection endpoints
- Enable comprehensive logging and alerting for unauthorized collection deletion attempts
- Maintain frequent backups of all collections to enable rapid recovery if deletion occurs
🔍 How to Verify
Check if Vulnerable:
Test if an authenticated user can delete another user's collection by sending a DELETE request to /api/collections/{other_user_collection_id}Check Version:
Check the RomM web interface settings or API endpoint /api/version, or run: docker inspect romm_container | grep -i versionVerify Fix Applied:
After patching, verify that DELETE requests to other users' collections return proper authorization errors (403 Forbidden)📡 Detection & Monitoring
Log Indicators:
- HTTP DELETE requests to /api/collections/ endpoints
- Failed authorization attempts for collection deletion
- Unusual patterns of collection deletion activity
Network Indicators:
- DELETE requests to collection endpoints from unexpected user accounts
- Multiple DELETE requests in short timeframes
SIEM Query:
source="romm_logs" AND (method="DELETE" AND uri="/api/collections/*") | stats count by user, uri